In the wake of the Panama Papers

A guide for multinational corporations

Business interactions with offshore holding companies are at the forefront of the daily business headlines and likely top-of-mind for US and global regulators. Rules and regulations will continue to evolve. Corporate boards and governance committees will likely increase their focus on their companies’ exposures to these types of relationships. Companies may wish to act quickly to assess the nature and extent of any corruption, fraud, money laundering, and sanctions-related risks within their operations. To the extent any potential gaps are identified, companies should take action and implement policies, procedures, controls, and other corrective measures to mitigate the risk of non-compliance going forward.

How confident are you in your organization's ability to identify and mitigate corruption, fraud, money laundering, and sanctions risks?

How confident are you in your organization's ability to identify and mitigate corruption, fraud, money laundering, and sanctions risks?

How confident are you in your organization's ability to identify and mitigate corruption, fraud, money laundering, and sanctions risks?

Effects from the release of the Panama Papers

Background

On May 9, 2016, the International Consortium of Investigative Journalists (ICIJ) released a searchable database of the over 2.6 terabytes of internal data files (consisting of more than 11.5 million records dating back nearly 40 years) from Panama-headquartered law firm Mossack Fonseca (MF). The data files were leaked to a German newspaper and shared via the ICIJ. These records (collectively referred to as the “Panama Papers”) are reported to contain confidential information on over 210,000 offshore companies allegedly formed with the assistance from MF, as well as hundreds of associated corporations (including banks and law firms) and high-profile individuals (including political figures, athletes, and celebrities).

Aside from the data security-related implications of the release of the Panama Papers, these events could raise corruption, fraud, money laundering, and sanctions compliance concerns and risks for individuals and commercial entities. They could also require attention from various corporate units, including compliance, legal, and internal audit, as well as the business. While there may be legitimate reasons for establishing offshore companies and subsidiaries, and the release of the documents alone does not establish wrongdoing on the part of any of the named individuals or entities, the Panama Papers have:

Highlighted the corruption and fraud-related risks associated with conducting business with foreign offshore holding companies, as well as payments in and out of offshore locations such as Panama, British Virgin Islands, and the Bahamas, potentially placing companies “on notice” to review their own books and records for indicators of such concerns and risks

Increased the importance of having visibility into the ultimate corporate ownership structure of customers, vendors, and other third-party business partners

Such risks are not new by any means. In fact, investigations into offshore entities and shell companies have become more common at US authorities such as the Securities and Exchange Commission (SEC) and Department of Justice (DOJ)—as evidenced by the DOJ’s Offshore Compliance Initiative and Swiss Bank Program. In late 2015, executives at a US-based global logistics company pled guilty to Foreign Corrupt Practices Act (FCPA) and money laundering-related charges after the DOJ alleged the company had made over $2 million in bribe payments to Russian government officials through offshore bank accounts in Cyprus, Latvia, and Switzerland.2 In another case, the SEC charged a US-based pharmaceutical company with FCPA-related violations for a scheme in which the company allegedly funneled payments to government officials and other third parties through various offshore “marketing” companies. In its complaint, the SEC specifically noted that “transactions with offshore or government- affiliated entities did not receive specialized or closer review for possible FCPA violations,” and that “little was done to assess whether the terms or circumstances surrounding a transaction suggested the possibility of foreign bribery.”3

Regulatory scrutiny and enforcement around the use of offshore entities is not unique to the United States. Over the past several years, numerous authorities around the world (including Latin America and Europe) have brought allegations of bribery, corruption, and money laundering against a multinational energy corporation, as well as numerous related individuals and entities. Specifically, authorities are investigating allegations that, for almost a decade, potentially billions of dollars of bribes and kickbacks were provided to government officials and other individuals. Authorities have alleged most of these funds flowed through a vast network of offshore entities and shell companies located in jurisdictions such as Panama, Switzerland, Austria, and the British Virgin Islands.4

These enforcement trends, coupled with the high publicity and wealth of information obtained through the Panama Papers leak, make it clear that interactions and payments with offshore entities may continue to be a focus for both US and global regulators.

1. Under US sanctions regulations, assets that are majority-owned by any sanctioned entity or individual are automatically deemed “blocked.” Due to the Panama Papers leak, US regulators may be able to identify additional corporate ownership structures and assets held by those under sanctions, potentially expanding the list of restricted/prohibited entities.

Panama Papers by the numbers

Panama Papers by the numbers

Panama Papers by the numbers

Red flags and other risks of non-compliance

The Panama Papers leak is likely to have many compliance officers revisiting their respective companies’ exposure to relationships with third parties that utilize offshore entities. Companies eventually disclosed in the press may face increased scrutiny of their overall corruption, fraud, anti-money laundering (AML), and sanctions compliance programs. In anticipation of this increased scrutiny, companies seeking to understand the scope of their potential exposure may begin by identifying relationships with third parties (e.g., consultants, sales agents) who may have banking operations or fiduciary oversight (e.g., power of attorney) in foreign jurisdictions.

The ability of companies to identify these relationships quickly is dependent on numerous factors, such as the quality of accounting and vendor management systems, as well as the degree to which payment processes are centralized. Once identified, for each of these relationships, companies may then wish to identify all associated payments/transactions, review the extent of due diligence previously performed, assess the business rationale for maintaining the relationship, and then determine the need for additional investigation. Some potential red flags would include:

Inadequate, inconsistent, or unformulated third-party due diligence policies and procedures

Lack of visibility into the ultimate beneficial ownership structure of companies and potentially restricted entities (particularly with respect to offshore shell companies)

Limited use of advanced analytics to monitor payments to thinly capitalized holding companies in offshore locations (e.g., Panama, British Virgin Islands, Bahamas) and potentially restricted entities—including those that may be made through third parties

Given the breadth, depth, and complexity of the potential implications surrounding the Panama Papers leak (as well as other similar existing regulatory enforcement trends), it is critical that companies consider a risk-based, tailored approach to proactively assess any corruption, fraud, money laundering, and sanctions compliance risks to which they may be subject (either through direct association with the Panama Paper’s leak, or through separate regulatory inquiries resulting from the large number of global regulatory actions that have been—and will continue to be—announced).

Our solutions and approach

Deloitte’s Forensic and Risk practitioners have supported companies in assessing and mitigating the range of corruption, fraud, money laundering, and sanctions-related risks that have been highlighted as a result of the release of the Panama Papers. Recognizing there is no “one size fits all” approach to accomplishing this, examples of solutions we offer include:

Anti-corruption/fraud/AML/sanctions compliance program risk assessment
Deloitte has the knowledge and experience to provide an overall assessment (or health check) of your existing anti-corruption, anti-fraud, AML, and sanctions compliance program. Specifically, we can assess your program (including policies, procedures, training, internal controls, and monitoring) to help determine the level of potential risk exposure facing your business. This assessment will be based on regulatory guidance, as well as leading industry practices we have seen and helped companies establish. We can work with you to develop various quantitative and qualitative risk models (specifically covering areas such as anti-corruption, anti-fraud, AML, and sanctions) that may then be integrated across the broader compliance function to provide a holistic view of potential risks inherent in your operations.

Customer/vendor due diligence
Deloitte’s Automated Customer/Vendor Screening tool can help screen counterparty databases in an efficient manner to identify risk-relevant connections to sanctioned entities and individuals. Specifically, our automated solution is designed to efficiently identify shareholders of a potential customer/vendor (including through a chain of intermediary companies or directorship) using global corporate registries and other sources of information.

Should automated screening flag certain customers or vendors? Deloitte offers a suite of more traditional business investigative services to help further verify the ultimate corporate structure/beneficial ownership, as well as the potential reputational risks of a given relationship. Specifically, we may search global corporate records databases, which draw information from a number of key local government agencies (including, using Russia as an example, the Federal Tax Service and the Federal State Statistics Service).

In addition, we would conduct searches of local press and online sources to seek to establish the ultimate beneficial owners behind offshore holding companies, which are often used to obscure shareholding structures. Moreover, we would rely on corporate records and local-language press in developing backgrounds and corporate affiliations for principals of the subject company, revealing any risk-relevant connections.

Transaction monitoring and data analytics
Systems implemented by institutions are only as good as the analytics that support them. Deloitte’s Corruption, Fraud, AML, and Sanctions capabilities combine analytics technology and techniques with human interaction to help detect potentially improper transactions—either before the transactions are completed or after they occur. This process involves gathering and storing relevant data and mining it for patterns, discrepancies, and anomalies (e.g., payments to offshore jurisdictions, potentially restricted entities, or other high-risk entities).

Furthermore, Deloitte’s non-rules-based analyses can uncover new patterns, trends, fraudulent schemes, and scenarios that traditional approaches may miss. These findings are then translated into insights that can help you manage potential threats before they occur, as well as develop a proactive corruption, fraud, AML, and sanctions detection environment. Here, analytics will have both a forward- and backward-looking perspective. It will be useful to understand the transaction patterns, transacting parties, and related parties to the offshore companies interacting with your organization. It will be beneficial in planning to spot other companies that may pose similar issues but may not be on current lists. It will also be helpful in determining whether exposure and/or reporting obligations may exist regarding prior events.

Internal reviews and investigations
Should the analysis render findings that should be investigated? Deloitte assists companies in conducting retrospective reviews and investigations to help answer the who, what, when, where, why, and how questions that give rise to an inquiry—whether self-initiated or as a result of a regulatory, judicial, or law enforcement request. From an AML/ sanctions perspective, our lookback analyses include identifying relevant transactions that exhibit potentially suspicious activity, which additionally may help modify and improve ongoing transaction monitoring and management reporting practices.

Why companies need to act now

It is difficult to understand the potential impact of the release of the Panama Papers, as analysis is completed on the available database and further disclosures (potentially identifying additional companies involved) are expected over the coming weeks and months.

What seems clear is that business interactions with offshore holding companies are, at least for the time being, at the forefront of the daily business headlines and likely top-of-mind for US and global regulators. As rules and regulations continue to evolve, corporate boards and governance committees will likely shift (or increase) their focus on their respective companies’ exposures to these types of relationships. Companies may wish to act quickly to assess the nature and extent of any corruption, fraud, money laundering, and sanctions-related risks within their operations. To the extent any potential gaps are identified, companies should take action and implement policies, procedures, controls, and other corrective measures to mitigate the risk of non-compliance going forward.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UdK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see About Deloitte to learn more about our global network of member firms.